Differences between revisions 52 and 54 (spanning 2 versions)
Revision 52 as of 2020-01-31 19:17:46
Size: 3626
Editor: nodiscc
Comment: formatting, add aa-unconfined
Revision 54 as of 2020-01-31 19:37:51
Size: 3770
Editor: nodiscc
Comment: WIP wording, formatting, cleanup
Deletions are marked like this. Additions are marked like this.
Line 35: Line 35:
Line 49: Line 50:
List of processes with tcp or udp ports that do not have AppArmor profiles loaded List of processes with tcp or udp ports that do not have AppArmor profiles loaded:
Line 53: Line 54:
}} }}}
Line 57: Line 59:
Find more profiles: !AppArmor profiles live in `/etc/apparmor.d/`. Some packages automatically install their own profiles in this directory. To install more profiles:
Line 59: Line 61:
 * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
 * in the DebianPkg:apparmor-profiles package;
 * in [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|the patches, with new profiles included]], that were submitted to Debian;
 * in Ubuntu.
 * [[DebianPkg:apparmor-profiles-extra]] provides and enables Debian-specific (not upstreamed) profiles.
 * [[DebianPkg:apparmor-profiles]] provides various experimental profiles, and enables some by default.
 * Check the equivalent [[https://packages.ubuntu.com/search?keywords=apparmor-profiles|Ubuntu packages]]
 * Check newly [[https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-apparmor-team@lists.alioth.debian.org|submitted pacthes/profiles]] for !AppArmor in Debian
Line 64: Line 66:
!AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing packages that drop policy in `/etc/apparmor.d/`.
Line 105: Line 106:

== See also ==


 * [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] manpage

Translation(s): none

This page describes how to use AppArmor on Debian.


Install software

AppArmor is available in Debian since Debian 7 "Wheezy".

Install AppArmor userspace tools:

Enable AppArmor

If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.

Enable the AppArmor Linux Security Modules (LSM):

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

Inspect the current state

List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):

$ sudo aa-status

List running executables which are currently confined by an AppArmor profile:

$ ps auxZ | grep -v '^unconfined'

List of processes with tcp or udp ports that do not have AppArmor profiles loaded:

$ sudo aa-unconfined

Enable / install more profiles

AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To install more profiles:

For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:

cd /usr/share/doc/apparmor-profiles/extras
cp -i *.* /etc/apparmor.d/

for f in *.* ; do aa-complain /etc/apparmor.d/$f; done

To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.

Debug

AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.

For more detailed instructions, please read the dedicated documentation for debugging AppArmor.

Report a bug

If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.

Learn more

Learn more or start contributing.

Disable AppArmor

First, you can disable individual profiles with aa-disable.

But if you want to entirely disable AppArmor on your system, run:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

See also


CategorySystemSecurity